Re: pyzor/spam changes in policy

All of lore.kernel.org
 help / color / mirror / Atom feed

* Re: pyzor/spam changes in policy
       [not found] <200702261735.l1QHZrjX030675@localhost.localdomain>
@ 2007-03-07 20:29 ` Christopher J. PeBenito
  2007-03-08 14:02   ` Daniel J Walsh
  0 siblings, 1 reply; 4+ messages in thread
From: Christopher J. PeBenito @ 2007-03-07 20:29 UTC (permalink / raw)
  To: dwalsh; +Cc: selinux

On Mon, 2007-02-26 at 12:35 -0500, dwalsh@localhost.localdomain wrote:
> New directory for spamassin /var/lib/
> spam needs to send signals to pyzor
> pyzor uses tmp files

Merged most,  exceptions:

> +interface(`spamassassin_manage_lib_files',`
> +	gen_require(`
> +		type spamd_var_lib_t;
> +	')
> +
> +	files_search_var_lib($1)
> +	manage_dirs_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
> +	manage_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
> +')

Removed the dirs part.  If there is an interface needed that has both,
then there should be a more abstract interface.

> @@ -139,6 +148,7 @@
>  
>  	tunable_policy(`spamd_enable_home_dirs',`
>  		userdom_home_filetrans_generic_user_home_dir(spamd_t)
> +		userdom_manage_generic_user_home_dirs(spamd_t)
>  		userdom_manage_generic_user_home_content_dirs(spamd_t)
>  		userdom_manage_generic_user_home_content_files(spamd_t)
>  		userdom_manage_generic_user_home_content_symlinks(spamd_t)

I don't understand why spamd_t would be creating new top level home
diretories, for example the /home/myuser dir.

> @@ -184,6 +194,7 @@
>  
>  optional_policy(`
>  	pyzor_domtrans(spamd_t)
> +	pyzor_signal(spamd_t)
>  ')

Dropped this and the following, because the interface looks wrong ($1 is
the object).

> +########################################
> +## <summary>
> +##	Send generic signals to pyzor
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`pyzor_signal',`
> +	gen_require(`
> +		type pyzor_t;
> +	')
> +
> +	allow pyzor_t $1:process signal;
> +')

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: pyzor/spam changes in policy
  2007-03-07 20:29 ` pyzor/spam changes in policy Christopher J. PeBenito
@ 2007-03-08 14:02   ` Daniel J Walsh
  2007-03-08 16:41     ` Christopher J. PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Daniel J Walsh @ 2007-03-08 14:02 UTC (permalink / raw)
  To: Christopher J. PeBenito, SE Linux

[-- Attachment #1: Type: text/plain, Size: 1871 bytes --]

Christopher J. PeBenito wrote:
> On Mon, 2007-02-26 at 12:35 -0500, dwalsh@localhost.localdomain wrote:
>   
>> New directory for spamassin /var/lib/
>> spam needs to send signals to pyzor
>> pyzor uses tmp files
>>     
>
> Merged most,  exceptions:
>
>   
>> +interface(`spamassassin_manage_lib_files',`
>> +	gen_require(`
>> +		type spamd_var_lib_t;
>> +	')
>> +
>> +	files_search_var_lib($1)
>> +	manage_dirs_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
>> +	manage_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
>> +')
>>     
>
> Removed the dirs part.  If there is an interface needed that has both,
> then there should be a more abstract interface.
>
>   
>> @@ -139,6 +148,7 @@
>>  
>>  	tunable_policy(`spamd_enable_home_dirs',`
>>  		userdom_home_filetrans_generic_user_home_dir(spamd_t)
>> +		userdom_manage_generic_user_home_dirs(spamd_t)
>>  		userdom_manage_generic_user_home_content_dirs(spamd_t)
>>  		userdom_manage_generic_user_home_content_files(spamd_t)
>>  		userdom_manage_generic_user_home_content_symlinks(spamd_t)
>>     
>
> I don't understand why spamd_t would be creating new top level home
> diretories, for example the /home/myuser dir.
>
>   
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=203290
>> @@ -184,6 +194,7 @@
>>  
>>  optional_policy(`
>>  	pyzor_domtrans(spamd_t)
>> +	pyzor_signal(spamd_t)
>>  ')
>>     
>
> Dropped this and the following, because the interface looks wrong ($1 is
> the object).
>
>   
>> +########################################
>> +## <summary>
>> +##	Send generic signals to pyzor
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`pyzor_signal',`
>> +	gen_require(`
>> +		type pyzor_t;
>> +	')
>> +
>> +	allow pyzor_t $1:process signal;
>> +')
>>     
>
>   

This should be reversed,  New patch


[-- Attachment #2: spam.diff --]
[-- Type: text/x-patch, Size: 1410 bytes --]

--- nsaserefpolicy/policy/modules/services/spamassassin.te	2007-03-08 08:26:59.000000000 -0500
+++ serefpolicy-2.5.8/policy/modules/services/spamassassin.te	2007-03-08 09:00:04.000000000 -0500
@@ -85,6 +85,7 @@
 corenet_tcp_bind_all_nodes(spamd_t)
 corenet_tcp_bind_spamd_port(spamd_t)
 corenet_tcp_connect_razor_port(spamd_t)
+corenet_tcp_connect_smtp_port(spamd_t)
 corenet_sendrecv_razor_client_packets(spamd_t)
 corenet_sendrecv_spamd_server_packets(spamd_t)
 # spamassassin 3.1 needs this for its
@@ -147,6 +148,7 @@
 
 	tunable_policy(`spamd_enable_home_dirs',`
 		userdom_home_filetrans_generic_user_home_dir(spamd_t)
+		userdom_manage_generic_user_home_dirs(spamd_t)
 		userdom_manage_generic_user_home_content_dirs(spamd_t)
 		userdom_manage_generic_user_home_content_files(spamd_t)
 		userdom_manage_generic_user_home_content_symlinks(spamd_t)
--- nsaserefpolicy/policy/modules/services/pyzor.te	2007-03-08 08:26:59.000000000 -0500
+++ serefpolicy-2.5.8/policy/modules/services/pyzor.te	2007-03-08 08:59:23.000000000 -0500
@@ -44,6 +44,8 @@
 manage_dirs_pattern(pyzor_t,pyzor_tmp_t,pyzor_tmp_t)
 files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir })
 
+fs_search_auto_mountpoints(pyzor_t)
+
 kernel_read_kernel_sysctls(pyzor_t)  
 kernel_read_system_state(pyzor_t)
 
@@ -77,6 +79,7 @@
 ')
 
 optional_policy(`
+	spamassassin_signal_spamd(pyzor_t)
 	spamassassin_read_spamd_tmp_files(pyzor_t)
 ')
 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: pyzor/spam changes in policy
  2007-03-08 14:02   ` Daniel J Walsh
@ 2007-03-08 16:41     ` Christopher J. PeBenito
  2007-03-08 16:48       ` Daniel J Walsh
  0 siblings, 1 reply; 4+ messages in thread
From: Christopher J. PeBenito @ 2007-03-08 16:41 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SE Linux

On Thu, 2007-03-08 at 09:02 -0500, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Mon, 2007-02-26 at 12:35 -0500, dwalsh@localhost.localdomain wrote:
> >> @@ -139,6 +148,7 @@
> >>  
> >>  	tunable_policy(`spamd_enable_home_dirs',`
> >>  		userdom_home_filetrans_generic_user_home_dir(spamd_t)
> >> +		userdom_manage_generic_user_home_dirs(spamd_t)
> >>  		userdom_manage_generic_user_home_content_dirs(spamd_t)
> >>  		userdom_manage_generic_user_home_content_files(spamd_t)
> >>  		userdom_manage_generic_user_home_content_symlinks(spamd_t)
> >>     
> >
> > I don't understand why spamd_t would be creating new top level home
> > diretories, for example the /home/myuser dir.
> >
> >   
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=203290

I think this would be the correct fix:

@@ -146,10 +146,10 @@
        files_dontaudit_read_root_files(spamd_t)
 
        tunable_policy(`spamd_enable_home_dirs',`
-               userdom_home_filetrans_generic_user_home_dir(spamd_t)
                userdom_manage_generic_user_home_content_dirs(spamd_t)
                userdom_manage_generic_user_home_content_files(spamd_t)
                userdom_manage_generic_user_home_content_symlinks(spamd_t)
+               userdom_generic_user_home_dir_filetrans_generic_user_home_content(spamd_t,dir)
        ')
 ')
 
since it is creating the ~/.spamassassin dir the filetrans
user_home_dir_t -> user_home_t was missing.  The filetrans that was in
there did home_root_t -> user_home_dir_t.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: pyzor/spam changes in policy
  2007-03-08 16:41     ` Christopher J. PeBenito
@ 2007-03-08 16:48       ` Daniel J Walsh
  0 siblings, 0 replies; 4+ messages in thread
From: Daniel J Walsh @ 2007-03-08 16:48 UTC (permalink / raw)
  To: Christopher J. PeBenito; +Cc: SE Linux

Christopher J. PeBenito wrote:
> On Thu, 2007-03-08 at 09:02 -0500, Daniel J Walsh wrote:
>   
>> Christopher J. PeBenito wrote:
>>     
>>> On Mon, 2007-02-26 at 12:35 -0500, dwalsh@localhost.localdomain wrote:
>>>       
>>>> @@ -139,6 +148,7 @@
>>>>  
>>>>  	tunable_policy(`spamd_enable_home_dirs',`
>>>>  		userdom_home_filetrans_generic_user_home_dir(spamd_t)
>>>> +		userdom_manage_generic_user_home_dirs(spamd_t)
>>>>  		userdom_manage_generic_user_home_content_dirs(spamd_t)
>>>>  		userdom_manage_generic_user_home_content_files(spamd_t)
>>>>  		userdom_manage_generic_user_home_content_symlinks(spamd_t)
>>>>     
>>>>         
>>> I don't understand why spamd_t would be creating new top level home
>>> diretories, for example the /home/myuser dir.
>>>
>>>   
>>>       
>> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=203290
>>     
>
> I think this would be the correct fix:
>
> @@ -146,10 +146,10 @@
>         files_dontaudit_read_root_files(spamd_t)
>  
>         tunable_policy(`spamd_enable_home_dirs',`
> -               userdom_home_filetrans_generic_user_home_dir(spamd_t)
>                 userdom_manage_generic_user_home_content_dirs(spamd_t)
>                 userdom_manage_generic_user_home_content_files(spamd_t)
>                 userdom_manage_generic_user_home_content_symlinks(spamd_t)
> +               userdom_generic_user_home_dir_filetrans_generic_user_home_content(spamd_t,dir)
>         ')
>  ')
>  
> since it is creating the ~/.spamassassin dir the filetrans
> user_home_dir_t -> user_home_t was missing.  The filetrans that was in
> there did home_root_t -> user_home_dir_t.
>
>   

Thats ok with me.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2007-03-08 16:48 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <200702261735.l1QHZrjX030675@localhost.localdomain>
2007-03-07 20:29 ` pyzor/spam changes in policy Christopher J. PeBenito
2007-03-08 14:02   ` Daniel J Walsh
2007-03-08 16:41     ` Christopher J. PeBenito
2007-03-08 16:48       ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.